“ The rationale for this proposed deprecation is that the upcoming 5.0 release is a good time to evaluate dependencies that are no longer receiving updates and will become risks in the future.”
Thank you for raising it, I support your proposal for deprecation On Fri, 11 Aug 2023 at 8:55, Abe Ratnofsky <a...@aber.io> wrote: > Hey folks, > > Opening a thread to get input on a proposed dependency deprecation in 5.0: > metrics-reporter-config has been archived for 3 years and not updated in > nearly 6 years. > > This project has a minor security issue with its usage of unsafe YAML > loading via snakeyaml’s unprotected Constructor: > https://nvd.nist.gov/vuln/detail/CVE-2022-1471 > > This CVE is reasonable to suppress, since operators should be able to > trust their YAML configuration files. > > The rationale for this proposed deprecation is that the upcoming 5.0 > release is a good time to evaluate dependencies that are no longer > receiving updates and will become risks in the future. > > https://issues.apache.org/jira/browse/CASSANDRA-18743 > > — > Abe > >
